Hackers of India

Breaking ML Services: Finding 0-days in Azure Machine Learning

By  Nitesh Surana  on 25 Aug 2023 @ Hitb Sec Conf


Presentation Material

Abstract

Cloud service providers offer Machine–Learning–as–a–Service platforms, enabling companies to leverage the power of scalability & reliability while performing ML operations. With huge adoption of such systems worldwide, the security posture of the platform itself often may go unnoticed as it has been observed in previous research about vulnerabilities in Google’s AI Hub and AWS’s Sagemaker Jupyter Notebook services.

We investigated Azure ML, a managed MLaaS offering from Microsoft. We found five 0days over three broad classes of security issues namely:

Insecure logging of sensitive information – We found five instances of credentials leaking in cleartext on Compute Instances, due to insecure usage of open-source components and insecure system design of how the environment was being provisioned.

MLSee: A vulnerability allowing sensitive information disclosure – We found a case of exposed APIs in cloud middleware leaking sensitive information from Compute Instances. The vulnerability could be leveraged by network-adjacent attackers after initial access to laterally move or snoop in on the commands executed using Jupyter terminal on a Compute Instance.

Achieving Persistence – While reversing cloud middleware to decipher their functionality, we found two ways to achieve persistence in AML environments. First, An attacker could fetch the Storage Account access key and the Azure AD JWT of the system-assigned managed identity assigned to the Compute Instance, even from non-Azure environments.

Through this talk, the attendees will learn about the different issues that were found in AML, which may extend to other Cloud-based MLaaS platforms. As we take a deep dive into the security issues, we will be demonstrating various techniques we adopted while researching the service, giving the attendees a glimpse of how the security of managed services like AML can be assessed when there are blurred lines in the shared responsibility model…

AI Generated Summarymay contain errors

Here is a summary of the content:

The speaker discusses their research on Azure Machine Learning (AML) services and discovering vulnerabilities. They created a malicious job that created a file on the underlying host, to test if hosts can be reused. The expectation was that the new job would run on a new virtual machine, or VM, I mean it is supposed to imply that the new job runs on a new virtual machine, in which case the file should not exist. However, AML uses batch pools with unique and isolated VMs per workspace, the speaker found that sometimes jobs can reuse existing VMs if available.

The speaker also shared their findings on other issues:

  1. Storage account access keys being logged in different places.
  2. The JSON Web Token (JWT) of the user being logged in.
  3. Engine access logs exposing sensitive information.
  4. Agents exposing sensitive information in vet environments.

To mitigate these issues, the speaker recommends:

  1. Setting up an environment using virtual networks, private links, and private endpoints.
  2. Implementing secure deployment strategies to ensure defense in depth.
  3. Monitoring cloud environments for changes using cloud-native solutions.
  4. Verifying the integrity of Jupiter notebooks, scripts, models, and datasets.
  5. Managing services to uncover silent threats.

The speaker also mentions that Microsoft has made it easy to go secure by default with their network isolation options when creating an AML workspace. They conclude by emphasizing the importance of securing machine learning environments and encourage others to “hack out of the box” to discover more vulnerabilities.